CVE-2024-24549
📋 TL;DR
This vulnerability in Apache Tomcat allows denial-of-service attacks via HTTP/2 requests. Attackers can send specially crafted HTTP/2 requests that exceed header size limits, causing Tomcat to delay stream resets and potentially exhaust server resources. It affects Tomcat versions 8.5.0-8.5.98, 9.0.0-M1-9.0.85, 10.1.0-M1-10.1.18, and 11.0.0-M1-11.0.0-M16.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, affecting all web applications hosted on the vulnerable Tomcat instance.
Likely Case
Degraded performance or intermittent service disruptions from repeated DoS attacks targeting the HTTP/2 implementation.
If Mitigated
Minimal impact if proper rate limiting, request filtering, and resource monitoring are in place.
🎯 Exploit Status
Exploitation requires sending HTTP/2 requests with oversized headers, which is straightforward for attackers with network access to the Tomcat instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.5.99, 9.0.86, 10.1.19, or 11.0.0-M17
Vendor Advisory: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Restart Required: Yes
Instructions:
1. Download the patched version from Apache Tomcat website. 2. Stop the Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Restart Tomcat service.
🔧 Temporary Workarounds
Disable HTTP/2
allDisable HTTP/2 protocol support to prevent exploitation via vulnerable HTTP/2 handling.
Edit server.xml and remove or comment out HTTP/2 connector configurations
Implement Request Filtering
allUse web application firewall or reverse proxy to filter HTTP/2 requests with oversized headers.
Configure WAF rules to block HTTP/2 requests exceeding header size limits
🧯 If You Can't Patch
- Implement strict rate limiting on HTTP/2 connections to limit DoS impact
- Monitor Tomcat resource usage and set up alerts for abnormal HTTP/2 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version using catalina.sh version command or examine server startup logsCheck Version:
./catalina.sh versionVerify Fix Applied:
Verify Tomcat version is 8.5.99, 9.0.86, 10.1.19, or 11.0.0-M17 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP/2 connection resets
- Unusual number of HTTP/2 requests with large headers
- Tomcat resource exhaustion warnings
Network Indicators:
- High volume of HTTP/2 traffic to Tomcat ports
- HTTP/2 requests with abnormally large headers
SIEM Query:
source="tomcat.logs" AND ("HTTP/2" AND ("reset" OR "limit exceeded"))🔗 References
- https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
- http://www.openwall.com/lists/oss-security/2024/03/13/3
- https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
- https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
- https://security.netapp.com/advisory/ntap-20240402-0002/
